A detailed write-up for CVE-2026-4747, a remote kernel code execution vulnerability in FreeBSD's RPCSEC_GSS implementation. The bug is a stack buffer overflow in svc_rpc_gss_validate() where a 128-byte stack buffer receives an unchecked memcpy of the RPCSEC_GSS credential body (up to 400 bytes via XDR). The write-up covers the full exploit chain: lab setup with Kerberos KDC, De Bruijn pattern analysis to find the correct RIP offset (byte 200), ROP gadget selection, a 15-round multi-packet attack that writes 432 bytes of shellcode to kernel BSS (made RWX via pmap_change_prot), and a two-phase shellcode using kproc_create + kern_execve to spawn a root reverse shell. Key engineering challenges documented include Kerberos hostname canonicalization pitfalls, inherited debug register crashes (DR7), and thread exhaustion requiring at least 2 CPUs.
Table of contents
Full Remote Kernel RCE → uid 0 Reverse Shell1. The Vulnerability2. Target Setup3. Exploitation4. The Shellcode5. Challenges Encountered6. Exploit SummarySort: